Rapid7 Blog

May 2013 - Patch Tuesday, the "yet another IE 0-day edition"

POST STATS:

SHARE

Going into this patch Tuesday the big question was: will MS13-038 address the “Department of Labor IE 0-day (CVE-2013-1347)”? Microsoft had hinted strongly that a patch was on the way, with the unspoken caveat that there is always a risk of a it getting pulled at the last minute for quality issues. As it turns out, MS13-038 is what was expected and should address the “Department of Labor IE 0-day,” which is great. So hooray for that. Start patching with this one and follow it up with MS13-037 (the other IE critical patch).

On one level, this is Microsoft at their security best. They responded promptly to a publically disclosed issue and got the fix out in the next scheduled wave of patches. On another level, this issue, along with the fact that every single month we see another round of critical Internet Explorer patches, highlights what is wrong with Microsoft's patching and support models. Compare this to Google's Chrome browser, which quietly patches itself as fixes become available and has no down-level supported “old version,” which exposes millions of their users to risk. Or compare it to Firefox, which has straddled the fence with periodic Long-Term-Support (LTS) releases for the risk adverse IT departments but now defaults it's users to the same model as Chrome. Microsoft is tying up resources in maintaining the older versions and extending the window by which users are exposed to risk with their opt-in updates and periodic patching model.

The other notable this month is MS13-039, which is a Denial of Service affecting the http client and server which is part of Windows. While DoS attacks are generally considered second (or third) tier as far as risk, this could potentially be very disruptive to an organization, since many remote services and Active Directory integrations rely on http.sys.

The vulnerability in Lync requires a victim to choose to view a malicious presentation and the issue in .NET does not affect the default configuration. Neither should be ignored, but neither is critical.

Otherwise, there is a whole pile of CVEs in Microsoft's wayward child of the Office family, Publisher, which hardly anyone is going to care about. A vulnerability in Word and one in Visio, and the usual important but not crucial monthly patch to the Windows Kernel drivers.

POST STATS

SHARING IS CARING

AUTHOR

Want more? Don’t miss these posts

The neverending fight with malware forced researchers and security firms to develop tools and automated systems to facilitate the unmanageable amount of work they've been facing when dissecting malicious artifacts: from debuggers, monitoring tools to virtualized systems and sandboxes. On the other side, malware authors…

Back in March we published an exploit module for Mutiny Remote Code Execution. Mutiny "is a self-contained appliance for monitoring network-attached devices such as servers, switches, routers and printers. It has been designed to be simple to use, being aimed at the person who…

Featured Research

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Toolkit

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Featured Research

Rapid7’s Quarterly Threat Report leverages intelligence from our extensive network—including the Insight platform, managed detection and response engagements, Project Sonar, Heisenberg Cloud, and the Metasploit community—to put today’s shifting threat landscape into perspective. It gives you a clear picture of the threats that you face within your unique industry, and how those threats change throughout the year.